Chapter xx
Protection

Protection: Control of access within a computer system.

A number of different protection mechanisms have been proposed. We are going to talk about one of them -- the access matrix model.

Goals of Protection

Guiding principle of protection: Programs, users and systems should be given just enough privileges to perform their tasks.

The Access Matrix Model

The model consists of three components:

  1. Objects -- Entities to which access may be controlled. Common examples of objects are files, pages in memory, programs, auxiliary memory devices, etc. Subjects are also objects, since they too need to be protected.

  2. Subjects -- Active entities that access objects. A subject may be regarded as a (process, domain) pair where the domain is the protection environment (context) in which the process is executing. A process may change domains within its execution, thereby becoming a part of multiple domains.

  3. Rules -- Govern the manner in which subjects may access objects.

The system maintains in a protection state that specifies all types of access that subjects have to objects. Three issues need to be addressed:

  1. Representation of the protection state.

  2. Enforcement of access constraints.

  3. A controlled way for subjects to alter the protection state.

Representing the protection state.

A protection state is modeled by an access matrix, in which the rows denote subjects and the columns objects. The entry A[S,X] specifies the access rights held by subject S for object X.

An access matrix:

\ S1 S2 S3 S4 X1 X2
S1 . wait,signal . terminate read read, execute
S2 wait, signal . wait, signal, send, terminate . append write
S3 . wait, signal, receive . wait, signal, terminate execute .
. . wait, signal control . .

Enforcement of access constraints.

An object monitor is associated with each type of object.Each access to an object is validated in the following way:

  1. Subject S attempts to perform operation a on object X.

  2. The triple (S,a,X) is formed by the system and passed to the object monitor for X.

  3. The object monitor looks for the attribute a in A[S,X]. If it is present, then access is permitted and the operation is allowed to proceed. Otherwise, a protection violation occurs and access is not allowed.

Protection state transitions:

The access matrix itself is a protected object, controlled by a special monitor called the access matrix monitor. The access matrix monitor may:

  1. transfer, grant, read, or delete attributes on authorized requests from subjects.

  2. create and destroy subjects and objects.

A protection state:

\ S1 S2 S3 F1 F2 D1 D2
S1 control owner block unblock owner control read* write* read write seek owner
S2 block unblock control switch owner update owner seek*
S3 . . control delete owner execute . .

Actions that change the protection state:

  1. transfer attribute -- A subject that has a* rights to an object may transfer a copy of the attribute to another. For example, S1 can transfer to S3 either read or read* rights to F1. If read*, then S3 may also transfer the rights to another subject.

  2. grant attribute -- This command allows the owner of an object to give any attribute for that object (except the owner attribute) to another subject. For example, S3 can grant any operation on F2 to S1 or S2.

  3. delete attribute -- This command allows subject S0 to delete access attributes to object X for another subject S if either subject S is under the control of S0 or object X is owned by S0.

  4. read -- This allows a subject to read the contents of the access matrix. This operation is useful for determining current access to an object by this subject or by a subordinate object.

  5. create object -- This command allows a subject to create a nonsubject object.

  6. delete object -- This command allows the deletion of an object by its owner.

  7. create subject -- This command allows any subject to create a subordinate subject. The creating subject becomes the owner of the new subject, and the new subject has control of itself.

    delete subject -- This command allows deletion of a subject by its owner.

Example: Suppose subject S wishes to create a subordinate subject Q having memory subject M. 

create subject Q;
create object M;
grant write to Q,M;
grant read to Q,M.

Another example: Suppose subject S want to delete the access rights of subordinate Q to object X: 

w = read (Q,X);
delete w from Q,X.

Representing and Managing the Access Matrix

  1. Table of triples -- The nonempty entries of A are maintained in a table, with each entry having the form (S,X,A[S,X]).

    Advantages: We need to store only active objects in the table; conserves space.

    Disadvantage: Searching the table for a subject or subject that can access a given object can be inefficient.

  2. Capabilities -- Stored with each subject S is a list of pairs (X,A[S,X]}, called capabilities, that represent the set of accessible objects and corresponding access privileges. This list, called a capability list, corresponds to a single row of the access matrix.

    Advantages:

    1. Only the capability lists of active subjects need to be kept in main memory.

    2. For a given subject, it is possible to efficiently determine the set of objects that can be accessed.

    Disadvantages:

    1. For a given object, it may be difficult to determine which subjects have access privileges.

    2. Revocation may leave numerous obsolete copies of capabilities in the system, especially if the recipient of a capability has transferred copies to other subjects.

    Page tables are a typical example of the use of capabilities.

  3. Access control list -- Stored with an object is a list of pairs (S,A[S,X]), one for each subject that has access to the object. This list corresponds to a single column of the access matrix. A

    Advantages:

    1. For a given object, it is possible to efficiently determine which subjects have access privileges.

    2. Revocation of privileges is inexpensive.

    Disadvantage: It may be difficult to determine the privileges of a given subject. In this method, a monitor is associated with each object.

    File directories are typical examples of the use of control lists.

  4. Lock/key mechanism -- This method attempts to capture the advantages of both capabilities and access control lists. Stored with each subject S is a capability list consisting of pairs of the form (X,K), where X denotes an object that can be accessed by S with the key K. Stored with object is an access control list (called a lock list) consisting of pairs of the form (L,a), where L denotes a lock and a denotes an access attribute. An attempted b access by subject S to object X causes the following actions by the protection system:
    1. The system finds the pair (X,K) from the capability list of the subject S annd passes it to the monitor for X.

    2. The monitor permits the access only if it finds a pair (L,a) on the lock list with K=L and b a subset of a.

    The owner of X grants access by granting (X,K) pairs to subjects and placing (K,a) on the lock list. Revocation by the owner is accomplished by deleting (K,a) from the lock list (i.e., by changing the lock). In this method a centralized monitor is needed to dispense capabilities to subjects, while individual monitors are also associated with each object.